Information Security News | AI Aggregator

A Chinese-speaking APT group, UAT-7237, has breached web infrastructure in Taiwan using customized open-source tools. Active since 2022, it is linked to UAT-5918, which targets critical infrastructure. UAT-7237 employs a bespoke shellcode loader, SoundBill, to deploy Cobalt Strike and uses SoftEther VPN for persistent access. The group exploits unpatched servers, conducts reconnaissance, and utilizes tools like JuicyPotato and Mimikatz for credential extraction. They also modify Windows Registry settings to disable UAC.

A Chinese government-backed cyber group, UAT-7237, breached a Taiwanese web hosting provider to steal credentials and establish backdoor access. Active since at least 2022, they use Cobalt Strike for implants and exploit unpatched vulnerabilities on exposed servers. Their tactics include reconnaissance, deploying custom malware like SoundBill, and using tools like JuicyPotato for privilege escalation. The group shows distinct methods compared to related APT UAT-5918, focusing on VPN and cloud infrastructure access.

APT group UAT-7237 has targeted web infrastructure in Taiwan using customized open-source tools for long-term access. Active since at least 2022, it shows overlaps with UAT-5918, known for info theft. UAT-7237 exploits unpatched servers, conducts reconnaissance, and establishes persistence via SoftEther VPN and RDP. They utilize a custom loader, SoundBill, for credential theft, employing tools like Mimikatz and JuicyPotato. Their VPN setup was active from Sept 2022 to Dec 2024. IOCs are published on GitHub.

Cisco has issued security updates for a critical vulnerability (CVE-2025-20265, CVSS 10.0) in Secure Firewall Management Center (FMC) Software, allowing remote code execution via the RADIUS subsystem. Affected versions are 7.0.7 and 7.7.0 with RADIUS authentication enabled. Other high-severity vulnerabilities were also addressed, including multiple denial-of-service issues (CVSS 8.6) across various Cisco Secure Firewall products. Users are urged to apply patches promptly, as no workarounds exist.

Cisco patched a critical vulnerability (CVE-2025-20265, CVSS 10.0) in Secure Firewall Management Center (FMC) Software, affecting versions 7.0.7 and 7.7.0 with RADIUS authentication enabled. The flaw allows unauthenticated remote attackers to execute arbitrary code due to improper input handling during authentication. No workaround exists; mitigation involves switching to local, LDAP, or SAML SSO authentication. Cisco PSIRT reports no known exploits in the wild.

Cisco disclosed a critical remote code execution (RCE) vulnerability, CVE-2025-20265, in its Secure Firewall Management Center (FMC) Software, with a CVSS score of 10.0. The flaw affects versions 7.0.7 and 7.7.0 with RADIUS authentication enabled, allowing unauthenticated remote attackers to execute arbitrary commands. Cisco advises immediate software updates and suggests alternative authentication methods to mitigate risks. The advisory is part of a larger publication addressing 29 vulnerabilities across Cisco products.

Cisco disclosed a critical vulnerability (CVE-2025-20265) in its Secure Firewall Management Center Software, allowing unauthenticated attackers to execute arbitrary commands. The flaw, with a CVSS rating of 10, affects versions 7.0.7 and 7.7.0 when RADIUS authentication is enabled. Cisco released a patch and urged customers to upgrade, as there are no workarounds. The vulnerability highlights security risks in edge devices, which are often targeted due to their network boundary positions.

Cisco has patched a critical vulnerability (CVE-2025-20265) in its Secure Firewall Management Center (FMC) software, rated 10.0 CVSS. This flaw allows unauthenticated remote attackers to execute arbitrary shell commands due to improper handling of user input in the RADIUS authentication subsystem. Exploitation requires FMC to use RADIUS for web-based management or SSH. No known in-the-wild exploitation exists yet, but urgency in patching is advised due to potential targeting by state-sponsored actors.

Admins using Cisco Secure Firewall Management Center (FMC) Software (versions 7.0.7 and 7.7.0) are urged to patch a critical vulnerability that could enable remote attackers to breach security. This issue affects deployments using RADIUS authentication for web-based management or SSH. The vulnerability arises from improper handling of user input during authentication, allowing attackers to send crafted input to the RADIUS server, potentially executing high-privilege commands.

On August 9, 2025, the Canadian House of Commons experienced a cyberattack exploiting a Microsoft vulnerability, compromising sensitive employee data. The breach involved unauthorized access to a database containing names, job titles, and email addresses. Cybersecurity experts suspect the exploitation of CVE-2025-53770, a critical SharePoint Server vulnerability. The Communications Security Establishment is investigating, urging vigilance among employees against potential phishing and impersonation attacks.

Hackers breached Canada’s House of Commons by exploiting a Microsoft vulnerability, compromising employee data including names, job titles, and email addresses. The breach, linked to the SharePoint zero-day CVE-2025-53770, was reported on August 15, 2025. Canada’s Communications Security Establishment is investigating the incident. Staff were warned to be vigilant against potential scams. The vulnerability, with a CVSS score of 9.8, allows unauthorized code execution in SharePoint Server.

Canada’s House of Commons experienced a cyberattack resulting in the loss of sensitive employee data, including names, email addresses, job titles, and device information. The breach was attributed to a recent Microsoft vulnerability, likely linked to the SharePoint flaw CVE-2025-53770, which has been exploited by various threat actors. The House of Commons and Canada’s Communications Security Establishment are investigating the incident, urging employees to remain vigilant against potential phishing attempts.

A new vulnerability in HTTP/2, named MadeYouReset (CVE-2025-8671), allows attackers to bypass limits on concurrent requests, facilitating large-scale DoS attacks. It exploits server behavior by triggering RST_STREAM frames through crafted invalid control frames, leading to resource exhaustion. Affected products include Apache Tomcat (CVE-2025-48989), F5 BIG-IP (CVE-2025-54500), and Netty (CVE-2025-55163). The CERT Coordination Center emphasizes the need for robust protections against such subtle attacks as HTTP/2 remains critical for web infrastructure.

Security researchers have identified a Denial of Service (DoS) vulnerability in HTTP/2, named "MadeYouReset" (CVE-2025-8671), which allows attackers to bypass concurrency limits and create unbounded requests, potentially leading to server crashes. This flaw affects numerous vendors, including Apache Tomcat, Cisco, and Microsoft. Mitigation strategies include stricter protocol validation and anomaly detection. Patches have been released by some vendors, while others are investigating or have confirmed they are affected.

A new vulnerability named MadeYouReset in the HTTP/2 protocol allows attackers to launch unlimited DDoS attacks, discovered by Deepness Lab. It exploits a design feature enabling rapid connection streams, similar to the previously identified Rapid Reset attack. Affected systems include Fastly, Apache Tomcat, and F5 devices, with CVE-2025-8671 assigned. Akamai notes fewer implementations are vulnerable this time. The likelihood of exploitation is deemed 100%, particularly in the context of hacktivism.

Security researchers have discovered a new DDoS vulnerability in HTTP/2, termed MadeYouReset (CVE-2025-8671), publicly disclosed on August 13, 2025. This flaw allows attackers to bypass concurrency limits, overwhelming servers with excessive requests. It builds on the 2023 Rapid Reset vulnerability (CVE-2023-44487). Affected projects include Netty, Apache Tomcat, and F5 BIG-IP. Immediate patching and rate-limiting are recommended to mitigate risks. The vulnerability poses significant threats as web traffic increasingly utilizes HTTP/2.

Active police and government email accounts are being sold on the dark web for as low as $40, posing significant risks to institutional trust. Compromised accounts, sourced from agencies in the U.S., U.K., Germany, India, and Brazil, allow attackers to impersonate officials and issue fraudulent requests. Common compromise methods include credential stuffing, infostealer malware, and targeted phishing. The report emphasizes the need for stronger authentication and better password practices to mitigate these threats.

Criminals are selling compromised FBI and other government email accounts on dark web marketplaces for as low as $40. These active accounts allow impersonation of officials, enabling further criminal activities like fraudulent subpoenas and emergency data requests. The report by Abnormal AI highlights methods of theft, including credential stuffing and phishing. The compromised accounts can access sensitive data and law enforcement systems, posing significant risks to personal information security.

Security researchers from Abnormal AI have discovered a dark web market where compromised government and police email accounts are sold for as little as £4. Active accounts from the US, UK, Germany, and other countries are available, including those from the FBI and various law enforcement agencies. These accounts allow hackers to extract sensitive data and issue fake legal requests, bypassing traditional email security measures. The FBI has previously warned about this trend and recommends monitoring external connections and limiting access.

Compromised FBI.gov email accounts are being sold on the dark web for $40, raising concerns about potential large-scale malware campaigns. Sellers offer full SMTP, POP3, or IMAP credentials, enabling buyers to impersonate trusted authorities and submit forged emergency requests to tech companies. This could lead to unauthorized access to sensitive data. Common methods for obtaining these accounts include credential stuffing, infostealer malware, and targeted phishing. The trend reflects a commoditization of institutional trust.

U.S. CISA has added two vulnerabilities in N-able N-Central to its Known Exploited Vulnerabilities catalog: CVE-2025-8875 (Insecure Deserialization) and CVE-2025-8876 (Command Injection). These vulnerabilities require authentication to exploit but pose a risk if unpatched. Organizations must upgrade to N-central version 2025.3.1, which addresses these issues. Federal agencies are mandated to remediate by August 20, 2025, while private organizations are advised to review and address these vulnerabilities.

CISA has issued warnings about two critical vulnerabilities in N-able N-Central software: CVE-2025-8875 (insecure deserialization) and CVE-2025-8876 (command injection). Both vulnerabilities allow remote code execution and are actively exploited. Organizations must implement fixes by August 20, 2025, or discontinue use. N-able has released version 2025.3.1 to address these issues. The vulnerabilities pose significant risks, enabling unauthorized access and potential system compromise.

Two vulnerabilities (CVE-2025-8875, CVE-2025-8876) in N-able's N-central RMM solution are being exploited, confirmed by CISA. CVE-2025-8875 is an insecure deserialization vulnerability, while CVE-2025-8876 is a command injection vulnerability. Attackers need valid credentials to exploit them. N-able released fixes in versions v2025.3.1 and v2024.6 HF2, urging customers to upgrade. CISA has not confirmed exploitation in ransomware campaigns, but risks to customer environments exist if unpatched.

Proofpoint researchers have identified vulnerabilities in certain FIDO authentication implementations, particularly Windows Hello for Business, which are susceptible to downgrade attacks. This technique exploits the fact that not all web browsers support FIDO passkeys, such as Safari on Windows. Attackers can perform an Adversary-in-the-Middle (AiTM) attack to masquerade as an unsupported user agent, forcing users to revert to less secure authentication methods, thereby compromising security.

A new threat vector targets FIDO-based passkeys, undermining their security. Hackers exploit a vulnerability in FIDO implementations, particularly in Microsoft Entra ID, where some browsers lack full passkey support. This allows attackers to force users to downgrade to less secure authentication methods. The attack uses sophisticated user agent spoofing to present a fake error, prompting victims to authenticate through traditional methods, enabling session hijacking and account takeover.

Experts warn that FIDO-based authentication for Microsoft Entra ID can be bypassed due to unsupported clients, such as Safari on Windows. This leads to a fallback to weaker login methods, which can be intercepted via Adversary-in-the-Middle (AiTM) attacks. Proofpoint's research highlights this vulnerability, noting that attackers can exploit the situation by spoofing unsupported user agents. While no current abuse has been reported, businesses are advised to disable alternative authentication methods for critical accounts to mitigate risks.

Research by Proofpoint reveals vulnerabilities in FIDO authentication, typically seen as secure against phishing. They identified a downgrade attack technique, demonstrated using Microsoft Entra ID, where users are manipulated into using less secure authentication methods due to browser compatibility issues. Attackers can exploit unsupported user agents in a modified Adversary-in-the-Middle (AiTM) attack, forcing users to bypass FIDO passkeys, undermining the security FIDO aims to provide.

Xerox has released a security upgrade for critical vulnerabilities in its FreeFlow Core application, which could allow remote code execution. Discovered by Horizon3.ai, the flaws include a critical path traversal vulnerability (CVE-2025-8356, CVSS 9.8) and an XML input handling issue (CVE-2025-8355, CVSS 7.5). Customers are urged to upgrade to version 8.0.5 to mitigate risks. For systems that cannot be patched, limiting access to the JMF Client service on Port 4004 is recommended.

Zoom has patched a critical Windows client vulnerability (CVE-2025-49457, CVSS 9.6) that allows privilege escalation via an untrusted search path. This flaw affects several products, including Workplace and Rooms for Windows, prior to version 6.3.10. An unauthenticated user can exploit this vulnerability to gain higher system privileges, potentially leading to malware installation or data theft. The advisory highlights the risk of attackers using Zoom as an entry point into secure corporate networks.

Critical vulnerabilities in Xerox FreeFlow Core, tracked as CVE-2025-8355 and CVE-2025-8356, allow unauthenticated remote code execution. The XXE injection flaw (CVE-2025-8355) enables SSRF attacks, while the path traversal flaw (CVE-2025-8356) allows attackers to write files to arbitrary server locations. Both pose significant risks to organizations handling sensitive materials. Xerox has patched these vulnerabilities in version 8.0.5, and immediate upgrades are strongly recommended.

Zoom has patched a critical vulnerability (CVE-2025-49457) in its Windows client that could allow attackers to escalate privileges and take over endpoints. The flaw arises from improper handling of dynamic libraries (DLLs), enabling malicious DLLs to be loaded without authentication. This could lead to the installation of persistent malware or the harvesting of sensitive files. Affected versions include Zoom Workplace, VDI, Rooms, and Meeting SDK for Windows prior to 6.3.10. Users are urged to update immediately.

Italy's digital agency (AGID) confirmed a cybercriminal, known as mydocs, breached the booking systems of at least ten hotels, stealing thousands of guests' sensitive ID documents from June to August. Nearly 100,000 identity documents, including passports, were reportedly listed for sale. AGID intercepted an illegal sale, validating the claims. The Italian Data Protection Authority (GDDP) has initiated an investigation and urged hotels to report anomalies and notify affected guests.

The Italian government reported that identity documents of tens of thousands of hotel guests have been stolen and are being sold online by a cybercriminal known as “mydocs.” Over 90,000 high-resolution scans of passports and IDs from 10 hotels were offered on an underground forum. Guests are advised to monitor for misuse of their data. The breaches occurred in June and July 2023. CERT-AGID emphasized the need for stronger protective measures for organizations handling identity documents to prevent unauthorized access.

A cyberattack has compromised the booking system of multiple hotels in Italy, leading to the theft of sensitive information from approximately 100,000 guests, including passport scans and ID cards. The threat actor, known as mydocs, is selling this data on the dark web. Italy’s digital transformation agency, AGID, confirmed the breach, warning that the stolen data could facilitate identity theft and fraud. An investigation is underway, and victims are advised to be cautious of suspicious communications.

Cybercriminals have breached the booking systems of at least ten Italian hotels, stealing tens of thousands of high-resolution scans of guests' ID documents, including passports and national ID cards. The hacker group “mydocs” infiltrated these systems during June and July, with the stolen data now being sold on dark web forums for $1,000 to $10,000. Guests are advised to contact the hotels if they suspect their data was compromised and to remain vigilant against potential scams and phishing attempts.

Fortinet has issued patches for a critical OS command injection vulnerability (CVE-2025-25256) in FortiSIEM, which is actively being exploited. This vulnerability affects multiple versions of FortiSIEM, allowing unauthenticated attackers to execute unauthorized commands via crafted CLI requests. Affected versions include 7.3.0-7.3.1, 7.2.0-7.2.5, and older branches down to 5.4. Admins should upgrade to patched versions or restrict access to TCP port 7900. Exploit code lacks distinctive indicators, complicating detection.

Fortinet has issued a warning regarding a critical vulnerability in FortiSIEM, identified as CVE-2025-25256, with a CVSS score of 9.8. This OS Command Injection flaw allows unauthenticated attackers to execute unauthorized commands. Affected versions include FortiSIEM 6.1 to 6.6, 6.7.0 to 6.7.9, 7.0.0 to 7.0.3, 7.1.0 to 7.1.7, and 7.2.0 to 7.2.5, with recommendations to upgrade to fixed releases. Organizations are advised to limit access to port 7900. Exploit code is reportedly in the wild.

Fortinet has issued a warning regarding a critical vulnerability in FortiSIEM, tracked as CVE-2025-25256, with a CVSS score of 9.8, that is actively being exploited. This OS command injection flaw allows unauthenticated attackers to execute arbitrary code via crafted CLI requests. Affected versions include FortiSIEM 6.1 to 6.6 and various 7.x versions, with specific upgrade recommendations provided. Fortinet advises limiting access to the phMonitor port (7900) as a workaround.

Fortinet disclosed a critical OS-command-injection vulnerability (CVE-2025-25256) in FortiSIEM, rated 9.8 CVSS, affecting versions 7.3.0-7.3.1, 7.2.0-7.2.5, 7.1.0-7.1.7, 7.0.0-7.0.3, and prior to 6.7.9. An unauthenticated attacker can execute arbitrary commands, risking complete system takeover. Customers are advised to upgrade or limit access to port 7900. Following the disclosure, GreyNoise reported a surge in brute-force attempts against Fortinet SSL VPNs, with notable spikes correlating with the vulnerability announcement.

Fortinet issued a warning about a critical OS command injection vulnerability in FortiSIEM, designated CVE-2025-25256, with a CVSS score of 9.8. This flaw could allow unauthenticated attackers to escalate privileges and execute commands. Fortinet advised customers to upgrade to the latest version and limit access to port 7900. Concurrently, GreyNoise reported a spike in brute-force attacks against Fortinet's SSL VPNs, observing over 780 unique IPs targeting credentials, though no direct link to the CVE was confirmed.

Sysadmins are urged to update Fortinet's FortiSIEM due to CVE-2025-25256, a critical escalation of privilege vulnerability with a CVSS score of 9.8. Exploit code is circulating, allowing unauthenticated attackers to execute unauthorized commands via crafted CLI requests. The exploit does not produce distinctive IoCs, complicating detection efforts. FortiSIEM, aimed at medium and large enterprises, is at risk, especially amid increased brute-force attacks on Fortinet SSL VPNs.

Fortinet patched a critical vulnerability in FortiSIEM, tracked as CVE-2025-25256, allowing unauthenticated attackers to execute unauthorized code. A working exploit was detected in the wild. The flaw arises from improper sanitization of OS command requests in the CLI. Fixed in versions 7.3.2, 7.2.6, 7.1.8, 7.0.4, and 6.7.10, FortiSIEM 7.4 is unaffected, while versions 6.6 and below should migrate to supported branches as they will not receive a fix.

A new malvertising campaign has emerged, deploying PS1Bot malware, which features a modular design for various malicious activities, including information theft and keylogging. Active since early 2025, it uses in-memory execution to minimize forensic traces. The attack begins with a ZIP file containing a JavaScript downloader that retrieves a PowerShell script, enabling communication with a command-and-control server. Key functionalities include antivirus detection, screen capture, wallet grabbing, and persistence mechanisms. Google is enhancing ad protection using AI to combat invalid traffic.

Cisco Talos has identified a new malware framework named PS1Bot, distributed via malvertising and SEO poisoning. PS1Bot functions as an infostealer, keylogger, and screen grabber, capable of logging keystrokes and stealing cryptocurrency data. It employs a JavaScript dropper that executes a PowerShell script, connecting to a command-and-control server for further commands. The malware's modular design allows for rapid updates and additional functionalities, including persistence on infected devices.

An ongoing malvertising campaign in 2025 deploys the PowerShell-based malware PS1Bot, which can steal sensitive data, log keystrokes, and maintain persistence. Victims download a compressed archive containing a JavaScript file that retrieves a PowerShell script from a command-and-control server. Distinct modules perform various functions, including antivirus detection, screen capture, and cryptocurrency theft. The malware's architecture shows similarities to AHK Bot, suggesting ongoing evolution and potential undiscovered modules.

Cisco Talos reported a malvertising campaign distributing "PS1Bot," a multi-stage malware framework that uses PowerShell and C# to steal sensitive information and maintain persistent access. The campaign, active throughout 2025, targets browser credentials and cryptocurrency wallets while evading detection. Users are advised to be cautious when downloading files, keep security software updated, and use dedicated password managers. Additionally, the article highlights vulnerabilities exploited by Russian hackers and a Citrix NetScaler flaw affecting organizations in the Netherlands.

Cisco Talos has identified a new malware framework named PS1Bot, active since early 2025, which spreads through malvertising. This malware targets sensitive information, including passwords and cryptocurrency wallet seed phrases, using techniques like keylogging and in-memory execution to evade detection. It is delivered via compressed files disguised as legitimate documents. Continuous updates indicate ongoing development by the creators, posing a significant risk to internet users. Caution is advised when downloading files from unfamiliar sources.

A new malware campaign named "PS1Bot" targets Windows systems, utilizing a multi-stage framework that combines PowerShell and C# for extensive information theft. It employs malvertising to deliver compressed files containing a JavaScript downloader, which retrieves additional malicious components. PS1Bot features stealthy in-memory execution and clever persistence strategies, creating randomly-named PowerShell scripts for reactivation post-reboot. It specifically targets cryptocurrency wallets, exfiltrating sensitive data via HTTP POST requests.

Manpower confirmed a data breach affecting 144,189 individuals, with unauthorized access detected on January 20 during an IT outage investigation. The breach occurred between December 29, 2024, and January 12, 2025, compromising personal data. Manpower notified affected individuals on August 11 and is offering 12 months of complimentary credit monitoring. The FBI has been notified, and the RansomHub ransomware group claimed responsibility, alleging the exfiltration of 500GB of data.

Manpower confirmed a data breach affecting approximately 145,000 users, detected in late 2024. The breach involved unauthorized access to sensitive personal information between December 29, 2024, and January 12, 2025. RansomHub, a ransomware group, claimed responsibility, stating they stole around 500GB of data, including personal IDs and corporate documents. Manpower is offering affected individuals free credit monitoring and identity theft protection through Equifax.

A ransomware attack on Manpower in January 2025 compromised the personal data of 144,180 individuals. The incident, attributed to the RansomHub group, occurred between December 29, 2024, and January 12, 2025, leading to an IT outage on January 20. Manpower has since enhanced its security and is offering affected individuals 24 months of free credit monitoring and identity theft protection. The attackers claimed to have stolen 500 GB of data, including sensitive personal and corporate information.

A new ransomware family named Charon is targeting the Middle East's public sector and aviation industry, employing advanced persistent threat (APT) evasion tactics. Researchers noted techniques like DLL side-loading and process injection, similar to those used by the Earth Baxia group. Charon disrupts security services and uses a driver from the Dark-Kill project to disable EDR solutions. The campaign appears targeted, indicated by customized ransom notes. Recent statistics reveal that 57% of organizations faced successful ransomware attacks in the past year.

A new ransomware family named Charon targets the Middle East's public sector and aviation, employing advanced persistent threat (APT) tactics such as DLL side-loading and process injection. Discovered by Trend Micro, Charon uses a legitimate Edge.exe file to load a malicious DLL, enabling it to evade detection. It partially encrypts files, deletes backups, and drops victim-specific ransom notes. The ransomware also features a dormant driver to disable EDR solutions, indicating ongoing development and a concerning trend of APT techniques in ransomware attacks.

A new ransomware family named Charon has emerged, targeting organizations in the Middle East's public sector and aviation industry using advanced persistent threat techniques. It employs DLL sideloading via a legitimate Edge.exe binary to deploy its payload, which includes a custom ransom note referencing specific victims. Charon features advanced evasion tactics, including disabling security services and using a hybrid cryptographic scheme for encryption. It also attempts to implement anti-EDR capabilities, indicating ongoing development.

Trend Micro has identified a new ransomware strain, Charon, targeting aviation and public sector entities in the Middle East. Charon employs advanced techniques like DLL sideloading, process injection, and evasion of endpoint security. The attack begins with a legitimate Edge.exe binary, which sideloads a malicious DLL (msedge.dll) to deliver the ransomware payload. This method allows the malware to impersonate a legitimate Windows service, enhancing its stealth and effectiveness.

On August 3, 2025, a significant spike in brute-force attacks targeting Fortinet SSL VPN devices was reported, involving over 780 unique malicious IP addresses from the U.S., Canada, Russia, and the Netherlands. The attacks were deliberate, focusing on FortiOS and later shifting to FortiManager post-August 5. Historical data indicated earlier testing from a residential ISP. Such patterns often precede new CVEs affecting similar technologies, highlighting the targeting of enterprise edge systems by advanced threat actors.

A surge in brute-force attacks targeting Fortinet's SSL VPNs was detected on August 3, 2025, with over 780 unique IP addresses involved. Researchers from GreyNoise noted two attack waves, with the second focusing on FortiManager, potentially compromising entire networks. The attacks may originate from a residential network, indicating an attempt to mask operations. GreyNoise warns that such spikes often precede public disclosures of new vulnerabilities, advising Fortinet customers to remain vigilant and utilize tools to block malicious IPs.

A spike in brute-force attacks against Fortinet SSL VPNs and FortiManager has been observed, suggesting potential preparation for a zero-day exploit. GreyNoise researchers predict an 80% chance of a CVE being disclosed within weeks, as such activity often precedes vulnerability announcements. While no zero-day has been confirmed, attackers may exploit known vulnerabilities. Users are advised to remain vigilant against phishing attempts, especially unsolicited messages demanding urgent action.

A surge in brute-force attacks targeting Fortinet SSL VPNs was reported, with over 780 unique IPs involved on August 3, indicating deliberate targeting. A second wave began on August 5, shifting focus to FortiManager. GreyNoise noted that spikes in activity often precede CVE disclosures, with 80% of cases followed by vulnerabilities within six weeks. Fortinet has released fixes for several vulnerabilities, and a potential zero-day RCE exploit for FortiOS VPN versions 7.4-7.6 is being offered for sale. Admins are advised to block malicious IPs and implement security best practices.

A new phishing campaign targets UK visa sponsor licence holders, utilizing Home Office branding to deceive victims. Mimecast identified fraudulent emails that mimic official communications, directing users to fake login pages to steal SMS credentials. Once compromised, accounts are exploited for various scams, including fake job offers costing victims £15,000 to £20,000. Recommendations include implementing robust IT practices, multi-factor authentication, and user awareness training to mitigate risks associated with this active threat.

A phishing campaign targeting the UK Home Office's Sponsorship Management System has been uncovered by Mimecast. Attackers send emails mimicking legitimate Home Office communications, urging users to log in to avoid account suspension. Victims are directed to a nearly identical fake login page, where credentials are captured. Stolen accounts can be exploited to create fraudulent job offers and visa sponsorships, posing a significant threat to the UK immigration system. Vigilance and URL verification are recommended for protection.

A phishing scam targeting the UK Visa Sponsorship System has been reported, where fake Home Office emails deceive companies into revealing their login credentials. Cybersecurity firm Mimecast identified that these emails lead to counterfeit SMS login pages designed to harvest user information. Victims' credentials are exploited to issue fraudulent Certificates of Sponsorship, facilitating scams that charge individuals for non-existent visa sponsorships. Recommendations include using multi-factor authentication, regular credential changes, and staff training to recognize phishing attempts.

A report from Bitdefender reveals the Russian-linked hacking group Curly COMrades is targeting Eastern Europe with the MucorAgent backdoor. Active since mid-2024, they focus on government bodies and an energy company in Georgia and Moldova. MucorAgent exploits a Windows component, NGEN, to maintain stealthy access by hijacking a dormant task. The group employs tools like Resocks and Stunnel for credential theft, using compromised websites to exfiltrate data, complicating detection efforts.

Cybersecurity researchers at Bitdefender have identified a new cyber-espionage group named Curly COMrades, believed to be Russian, using a backdoor malware called MucorAgent to target critical infrastructure in eastern Europe, specifically government and judicial organizations in Georgia and energy companies in Moldova. MucorAgent is a .NET tool that executes AES-encrypted PowerShell scripts and communicates with a C2 server. The initial access vector remains undetermined, but proxy agents like Resocks may have been involved.

A new APT group named “Curly COMrades” is targeting critical organizations in Georgia and Moldova, focusing on long-term network access and credential theft since mid-2024. They utilize proxy tools and compromised websites to evade detection. Their tactics include extracting the NTDS database and dumping LSASS memory for user credentials. The group employs MucorAgent malware, which hijacks the COM handler for persistence via the NGEN component, allowing stealth execution and covert access restoration.

A new threat actor, dubbed "Curly COMrades" by Bitdefender, has targeted state organizations in Moldova and Georgia since late 2024, aligning with Russian geopolitical interests. The group employs sophisticated techniques for long-term network access and credential theft, using compromised legitimate websites for command-and-control operations. They utilize a scheduled task on Windows systems to maintain stealthy access and have deployed a new malware, MucorAgent, for data collection and exfiltration.

Researchers have identified a new Russian APT group named Curly COMrades, linked to cyberespionage campaigns targeting judicial and government entities in Georgia and an energy distribution company in Moldova. The group employs a novel backdoor program and persistence techniques, utilizing curl.exe for command and control communications and data exfiltration. Their activities date back to late 2024, aligning with Russia's interests against these EU-candidate nations.

More than 29,000 Microsoft Exchange servers remain unpatched against CVE-2025-53786, a high-severity vulnerability allowing attackers to escalate privileges in hybrid cloud environments. Affected versions include Exchange Server 2016, 2019, and Subscription Edition. CISA issued Emergency Directive 25-02, mandating federal agencies to mitigate the flaw by August 11. Microsoft provided a hotfix in April 2025, and experts emphasize the need for immediate action to prevent potential exploitation.

Almost 30,000 Microsoft Exchange servers remain unpatched against a high-severity hybrid Exchange bug identified in August 2025. The Shadowserver Foundation reports that 7,200 affected servers are in the U.S., 6,700 in Germany, and 2,500 in Russia. The flaw allows attackers with admin access to escalate privileges into the connected Exchange Online environment. Microsoft recommends applying April 2025 hotfixes, transitioning to the dedicated Exchange Hybrid app, and resetting shared service principal credentials to mitigate risks.

Microsoft's October Patch Tuesday addressed 111 vulnerabilities, including CVE-2025-53786, a high-severity flaw in Exchange servers, with over 28,000 unpatched servers noted. The update follows attacks on SharePoint zero-days, impacting over 400 organizations. Critical vulnerabilities include CVE-2025-53767 (Azure OpenAI) and CVE-2025-53766 (Windows GDI+), both with high CVSS scores. Notably, 40% of patched CVEs are elevation of privilege vulnerabilities, indicating a trend in post-compromise risks.

Microsoft's August 2025 Patch Tuesday addresses 111 vulnerabilities, including nine critical remote code execution (RCE) flaws. Notably, CVE-2025-53779 is a zero-day elevation of privilege vulnerability in Kerberos, requiring pre-existing control of specific attributes. CVE-2025-50165 and CVE-2025-53766 are critical RCEs in Windows Graphics and GDI+, respectively, with potential exploitation via malicious files. Patches are available for Windows Server 2025 and Windows 11 24H2.

Microsoft released over 100 security updates on August Patch Tuesday, addressing critical vulnerabilities including CVE-2025-53786, which allows attackers to pivot from compromised Exchange Servers to cloud environments. Approximately 29,000 Exchange servers are at risk. Other critical flaws include CVE-2025-53779 in Kerberos, CVE-2025-53766 in GDI+, and CVE-2025-53778 in NTLM, which could allow privilege escalation. Windows 10 users are urged to upgrade to Windows 11 before free updates cease in October 2025.

Microsoft's August 2025 Patch Tuesday addressed 107 vulnerabilities, including a Windows Kerberos zero-day (CVE-2025-53779, CVSS 7.2) that allows authenticated attackers to gain domain admin rights via relative path traversal. Additionally, a critical heap-based buffer overflow in Windows GDI+ (CVE-2025-53766, CVSS 9.8) enables remote code execution through crafted metafiles in documents. The updates impact various Microsoft products, with 12 vulnerabilities rated Critical and 93 Important.

Microsoft's August Patch Tuesday addresses 107 vulnerabilities, including 13 critical RCE flaws affecting Windows, Office, and Azure. Key vulnerabilities include CVE-2025-50165 (Windows Graphics Component) and CVE-2025-53731 (Microsoft Office), which could allow remote code execution. Other notable issues involve privilege escalation and information disclosure flaws. Microsoft emphasizes the need for prompt updates, as none of the patched vulnerabilities are currently actively exploited. PowerShell 2.0 will be removed from Windows 11 and Server 2025.

Microsoft's August Patch Tuesday addresses 111 vulnerabilities, including 12 critical flaws. Notable issues include CVE-2025-50165 and CVE-2025-53766, both allowing remote code execution (RCE) with scores of 9.8. CVE-2025-49712, a critical RCE in SharePoint, has an 8.8 severity score. Adobe patched 68 CVEs, including critical RCEs in InCopy and Illustrator. SAP released 15 security notes, with three critical code injection vulnerabilities. Intel issued 34 advisories for 66 vulnerabilities, including high-severity issues in Xeon processors.

A critical zero-day vulnerability (CVE-2025-53779) in Windows Server 2025's Kerberos authentication system has been patched by Microsoft as part of the August Patch Tuesday updates. Although assessed as “Exploitation Less Likely,” the presence of exploit code poses a significant risk, especially if an admin's privileged account is compromised. Analysts recommend urgent attention from organizations, as this vulnerability can facilitate sophisticated attacks in high-value environments.

In April 2025, Microsoft addressed a critical Exchange flaw (CVE-2025-53786) that allows privilege escalation in cloud environments via compromised on-premises servers. As of August 1, 2025, over 28,000 Exchange servers remain unpatched. CISA issued an emergency directive, warning of potential complete compromise of Exchange and Active Directory. Experts emphasize the need for immediate patching, visibility of non-human identities (NHIs), and robust identity management practices to mitigate risks associated with this vulnerability.

On August Patch Tuesday, Microsoft addressed over 100 CVEs, including the zero-day CVE-2025-53779, an elevation of privileges vulnerability in Windows Kerberos. This flaw allows authenticated attackers to gain domain admin privileges but requires control of specific attributes of delegated Managed Service Accounts. Among the critical vulnerabilities are CVE-2025-53778 (improper authentication in NTLM) and CVE-2025-50177 (use-after-free in Message Queuing). Sysadmins are urged to prioritize patching these vulnerabilities.

Microsoft's August 2025 Patch Tuesday addressed 111 vulnerabilities, including a critical zero-day (CVE-2025-53779) in Windows Kerberos, allowing privilege escalation through path traversal. Notable flaws include CVE-2025-53767 (CVSS 10.0) in Azure OpenAI and CVE-2025-53766 (CVSS 9.8) in GDI+. The vulnerabilities could lead to full system compromise, with some requiring no customer action. Immediate impact is limited, affecting only 0.7% of Active Directory domains. Continuous vigilance is essential for security.

Microsoft released security patches for a critical vulnerability in Windows Remote Desktop Services, CVE-2025-53722, affecting multiple Windows versions, including Windows Server 2025 and Windows 11 24H2. The flaw allows unauthorized denial of service (DoS) attacks without authentication, rated CVSS 7.5. Patches include KB5063880 for Windows Server 2022 and KB5063875 for Windows 11. Immediate patch deployment is recommended to protect against potential disruption to business operations.

Microsoft's August 2025 Patch Tuesday addressed over 100 vulnerabilities, including the "BadSuccessor" Kerberos flaw (CVE-2025-53779), allowing privilege escalation in Active Directory. Discovered by Akamai, it requires a domain controller running Windows Server 2025. Other critical vulnerabilities include CVE-2025-49712 (RCE in SharePoint), CVE-2025-53731 and CVE-2025-53740 (Office RCEs), and CVE-2025-53786 (severe Exchange privilege escalation). Timely patching and configuration are essential to mitigate risks.

Microsoft's August 2025 Patch Tuesday update addresses 111 vulnerabilities, including a critical zero-day flaw in Windows Kerberos that allows privilege escalation via a "relative path traversal" issue. The update fixes 106 additional flaws, with 13 labeled critical, including nine remote code execution vulnerabilities. Notable issues include CVE-2025-53767 in Azure OpenAI and CVE-2025-50165 in Microsoft Graphics Component, both rated critical. Admins are urged to apply the patch immediately to mitigate risks.

CISA and Microsoft updated guidance on CVE-2025-53786, a high-severity vulnerability in Exchange Server that allows privilege escalation for attackers with administrative access. CISA noted no evidence of exploitation but urged organizations to review updated identification guidance and use the Microsoft Exchange Health Checker. Microsoft recommended downloading the April 2025 hotfix and disconnecting end-of-life servers. An attacker requires a highly privileged role to exploit this vulnerability.

Microsoft's August 2025 Patch Tuesday addressed 111 vulnerabilities, including critical ones like CVE-2025-50165, which allows remote code execution via an untrusted pointer dereference in Microsoft Graphics Component, and CVE-2025-53766, a heap-based buffer overflow in Windows GDI+ that can also lead to remote code execution. Both vulnerabilities can be exploited without user interaction, emphasizing the importance of timely updates to protect systems.

Microsoft released critical updates for three vulnerabilities in Microsoft Office, tracked as CVE-2025-53731, CVE-2025-53740, and CVE-2025-53730, affecting versions 2016-2024. These flaws allow remote code execution via document preview, posing significant risks. CVE-2025-53731 and CVE-2025-53740 have a CVSS score of 8.4, while CVE-2025-53730 scores 7.8. Patches were released on August 12. Users are urged to update immediately to mitigate risks associated with these vulnerabilities.

On August 2025 Patch Tuesday, Microsoft addressed 107 vulnerabilities, including a critical zero-day flaw (CVE-2025-53779) in Windows Kerberos that allows authenticated attackers to gain domain administrator privileges. Of the fixed vulnerabilities, 13 were critical, with 9 being remote code execution vulnerabilities. The breakdown includes 44 elevation of privilege, 35 remote code execution, 18 information disclosure, 4 denial of service, and 9 spoofing vulnerabilities. The flaw was discovered by Yuval Gordon of Akamai.

Microsoft's August Patch Tuesday addressed 109 vulnerabilities across 16 product families, with 18 marked as Critical. Notably, CVE-2025-53786, an Elevation of Privilege vulnerability in Exchange, is highlighted as likely to be exploited soon. Critical vulnerabilities include CVE-2025-50165 and CVE-2025-53766, both affecting Windows Graphics. Microsoft also noted clerical errors in previous patch releases. Recommendations include immediate patching, especially for cloud services like Azure and Microsoft 365.

The Dutch National Cyber Security Centre (NCSC-NL) has reported active exploitation of CVE-2025-6543, a critical vulnerability in Citrix NetScaler ADC, affecting critical organizations in the Netherlands. This flaw, with a CVSS score of 9.2, allows for unintended control flow and denial-of-service. Discovered on July 16, 2025, it has been exploited since early May 2025. Organizations are urged to apply patches and run specific commands to mitigate risks, as well as check for rogue web shells and suspicious account activity.

FortiGuard Labs reported over 6,000 exploitation attempts of Citrix Bleed 2 (CVE-2025-5777) since July 28, 2025, primarily targeting high-value sectors in the US, Australia, Germany, and the UK. Additionally, CVE-2025-6543 has been exploited as a zero-day since early May 2025 against critical Dutch organizations. Citrix released patches for both vulnerabilities, but the NCSC-NL emphasized that updating alone is insufficient; resetting sessions is also necessary. Investigations into the attacks are ongoing.

Hackers exploited a memory-overflow vulnerability (CVE-2025-6543) in Citrix’s NetScaler products to breach critical infrastructure organizations in the Netherlands, as reported by the Dutch National Cyber Security Centre. The attacks began in early May, prior to Citrix's June 25 disclosure. There are over 4,100 vulnerable NetScaler instances globally. CISA has added both CVE-2025-6543 and a related flaw (CVE-2025-5777) to its Known Exploited Vulnerabilities catalog, urging organizations to patch immediately.

Over 7,000 Citrix NetScaler appliances are unpatched against critical vulnerabilities CVE-2025-5777 and CVE-2025-6543, with active exploitation confirmed. CVE-2025-5777 allows remote code execution via insufficient input validation, while CVE-2025-6543 can lead to Denial of Service through a buffer overflow. Citrix advises immediate upgrades to fixed builds and recommends post-patch cleanup, network segmentation, and continuous monitoring to mitigate risks. Organizations must validate indicators of compromise and conduct regular audits to enhance security.

The Dutch NCSC warns that the Citrix NetScaler vulnerability CVE-2025-6543, a memory overflow flaw with a CVSS score of 9.2, is being exploited to breach critical organizations in the Netherlands. This zero-day vulnerability allows remote code execution and can lead to Denial of Service. Affected versions include NetScaler ADC and Gateway 13.1 before 13.1-59.19 and 14.1 before 14.1-47.46. The NCSC advises enhancing security measures and has released a detection script on GitHub.

A vulnerability in Citrix NetScaler is being exploited globally, particularly affecting organizations in the Netherlands. The National Cyber Security Centre (NCSC) reports that a memory overflow bug enables sophisticated remote code execution (RCE) and distributed denial of service (DDoS) attacks. The arbitrary code execution vulnerability has led to multiple compromises, with the potential for similar attacks on any vulnerable device worldwide, according to Johannes Ullrich from the SANS Institute.

On July 25, 2025, the Interlock ransomware group attacked the city of St. Paul, Minnesota, leaking 43GB of sensitive data after the city refused to pay the ransom. The breach disrupted online services and prompted the activation of the National Guard's cyber unit. The leaked data includes over 3,000 HR records, financial documents, and personal identification files. The city initiated a global password reset for its 3,500 employees and is collaborating with the FBI for recovery efforts. Residents are advised to remain vigilant against phishing attempts.

The Interlock ransomware gang leaked 43GB of files from the city of Saint Paul after a cyberattack in late July, prompting the city to declare a state of emergency. The leaked data includes over 66,000 files, such as passports and employee records. Mayor Malvin Carter stated that residents' personal information was not compromised, as it is stored in a secure cloud application. The attack disrupted multiple city services, and the city has no plans to pay the ransom. The FBI and CISA had previously warned about Interlock's activities.

Officials from St. Paul, Minnesota, confirmed that the Interlock ransomware group leaked approximately 43GB of employee data after payment demands were refused. Mayor Melvin Carter stated the data, sourced from a shared network drive in the Parks and Recreation department, includes varied personal files but not core city systems. The city is providing 12 months of credit monitoring and identity theft protection to affected employees. The leak was announced on August 11, following updates on the group's data leak site.

Wikipedia's legal challenge against the Online Safety Act's verification rules has failed. The Wikimedia Foundation argued that the regulations could jeopardize the safety and privacy of its volunteer editors by requiring user identity verification. The High Court's judgment emphasized the UK government's responsibility to protect Wikipedia. The foundation contended that classifying Wikipedia as "Category 1" would impose excessive duties, while the government maintained that it had reasonably considered but rejected an exemption for Wikipedia.

Wikimedia Foundation lost a legal challenge against the UK's Online Safety Act (OSA) regarding its classification as a Category 1 service. The judge dismissed four grounds of the challenge but allowed two for judicial review, focusing on the OSA's potential impact on user engagement and its rationale. If classified as Category 1, Wikipedia would face stringent regulations, including identity verification, which could threaten user privacy. The ruling emphasized the need for Ofcom to ensure Wikipedia's operational integrity under the OSA.

Wikipedia lost a legal battle against the UK’s Online Safety Act, which could classify it as a Category 1 service, imposing strict regulations like user verification and content filtering. The High Court ruled that the Secretary of State properly set thresholds based on Ofcom’s research. The ruling poses challenges for Wikipedia’s decentralized editing model, as it conflicts with the Act’s requirements for tracking and verifying user identities, potentially necessitating significant operational changes.

A significant data breach attributed to North Korea's Kimsuky APT group has resulted in a 34,000-page leak of internal tools and intelligence artifacts. The leak includes a phishing toolkit targeting South Korea's Defense Counterintelligence Command, a Tomcat kernel backdoor, and stolen government certificates. Key findings include a custom Cobalt Strike beacon and persistent access tools. Organizations in South Korea and allies are urged to audit exposed code, revoke compromised certificates, and enhance network detection measures.

A hacker, identifying as Saber/cyb0rg, has breached North Korean hacking group Kimsuky, leaking an 8.9GB database on the “Distributed Denial of Secrets” website. The leak includes phishing logs targeting South Korea's Defense Counterintelligence Command, source code for the Ministry of Foreign Affairs email platform, and tools for phishing. While the breach may hinder Kimsuky’s operations, experts believe it won't dismantle the group, which has a history of cyber-espionage since 2012.

Hackers Saber and cyb0rg claim to have breached a workstation of a North Korean government hacker, revealing operations of the Kimsuky espionage group. They published their findings in Phrack magazine, detailing the compromised virtual machine and private server. The leak includes evidence of Kimsuky’s activities against South Korean targets and internal documents. The hackers criticized Kimsuky for its motivations, asserting that they expose the group’s ties with Chinese hackers and their financial agendas.

Three Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, and Derrick Van Yeboah, were extradited to the US on August 7, 2025, over a $100 million fraud scheme involving romance scams and business email compromise (BEC). They are accused of defrauding vulnerable individuals and companies, laundering stolen funds to West Africa. The charges include wire fraud and money laundering conspiracy. A fourth suspect, Patrick Kwame Asare, remains at large. The extradition involved cooperation from Ghanaian law enforcement.

Three Ghanaian nationals, Isaac Oduro Boateng, Inusah Ahmed, and Derrick Van Yeboah, were extradited to the U.S. after being indicted for over $100 million in romance scams and business email compromises. The scheme, active from 2016 to May 2023, targeted vulnerable elderly Americans, convincing them of fictitious relationships and investment opportunities. The men face multiple charges, including wire fraud and money laundering, with potential sentences of up to 75 years.

Four Ghanaian nationals, led by Isaac Oduro Boateng, were extradited to the U.S. for orchestrating over $100 million in romance scams and business email compromise attacks. They used advanced social engineering and technical exploitation, creating fake personas to manipulate victims and intercept corporate transactions. Their operations involved phishing, domain spoofing, and meticulous monitoring of business communications. Extradition was facilitated by U.S. and Ghanaian law enforcement cooperation, with three defendants arriving on August 7, 2025.

Malicious actors are exploiting CVE-2025-32433, a critical vulnerability in Erlang/OTP SSH, with 70% of detections targeting OT firewalls. This flaw allows arbitrary code execution without credentials and was patched in April 2025. CISA added it to its KEV catalog in June 2025 due to active exploitation. Over 85% of attempts focus on healthcare, agriculture, media, and high technology sectors across multiple countries. Attackers are using reverse shells for unauthorized access, indicating a significant global attack surface.

A critical remote code execution vulnerability (CVE-2025-32433) in Erlang/OTP’s SSH daemon, with a CVSS score of 10.0, is being actively exploited, affecting versions prior to OTP-27.3.3. Attackers can execute arbitrary commands by sending crafted SSH messages. Exploitation attempts surged from May 1-9, 2025, particularly in OT networks, impacting sectors like healthcare and agriculture. Advanced payloads include reverse shells for persistent access, complicating detection efforts.

A remote code execution (RCE) vulnerability in the SSH daemon of Erlang's Open Telecom Platform (OTP), tracked as CVE-2025-32433, was exploited by attackers shortly after a patch was released in April 2025. Unit 42 reported that exploitation occurred between May 1 and May 9, 2025, primarily targeting Operational Technology (OT) firewalls. Erlang, developed by Ericsson, is designed for scalable, fault-tolerant systems, commonly used in telecommunications and industrial control systems.

A severe remote code execution vulnerability (CVE-2025-32433) in Erlang/OTP's SSH daemon is being actively exploited, allowing unauthenticated attackers to execute commands. Vulnerable versions include those before OTP-27.3.3. Between May 1-9, 70% of exploitation attempts targeted operational technology networks, risking critical infrastructure. Researchers recommend immediate patching to secure versions and suggest disabling the SSH server or restricting access as temporary measures.

Marks and Spencer (M&S) has restored its click and collect service after a cyber incident disclosed on April 22, 2025, which led to a nearly four-month suspension. Online delivery resumed on June 10, but click and collect was only reinstated 15 weeks later. The incident is expected to cost M&S around £300 million in lost profits, though they aim to mitigate this through insurance. The UK's National Crime Agency arrested four individuals linked to the attacks, attributed to the group Scattered Spider.

British retailer Marks and Spencer has restored its Click & Collect service after a cyberattack in April that disrupted multiple services. CEO Stuart Machin estimated a £300 million loss in profits for 2025/26 due to the attack. While core services are mostly back online, some limitations remain, including issues with online stock checking and international orders. The National Crime Agency arrested four suspects linked to the attack, believed to involve the Scattered Spider gang.

Marks & Spencer (M&S) has restored its click-and-collect service nearly four months after a cyber-attack in April that disrupted operations and cost the company around £300 million. The breach, attributed to human error and linked to the DragonForce ransomware group, compromised customer personal data. Four individuals were arrested in connection with the attack. The National Cyber Security Centre has recommended enhanced security measures, including multi-factor authentication and improved password policies.

A carmaker's online dealership portal exposed customer data and allowed unauthorized remote access to vehicles. Researcher Eaton Zveare discovered a vulnerability that enabled him to bypass login security, create a national admin account, and access sensitive data, including personally identifiable information and vehicle tracking systems. Although no exploitation was reported, the flaws posed significant security risks. The carmaker fixed the issues within a week after being notified. Zveare will present his findings at Defcon.

A security vulnerability in a major carmaker's online portal exposed customer data and allowed potential remote access to vehicles. Discovered by researcher Eaton Zveare, the flaw enabled the creation of a "national administrator" account, granting access to personal and financial data of thousands. Hackers could unlock doors using a vehicle's VIN or owner's name. The issue stemmed from authentication flaws, and the company fixed it within a week after disclosure. Tips for car security include using external navigation apps and updating software.

A critical vulnerability in a major automaker's dealer portal allowed unauthorized access, enabling attackers to register as dealer employees and gain national admin privileges. Exploiting a hidden registration form and bypassing server-side token validation, attackers accessed the vehicle enrollment API, transferring ownership and sending remote commands to vehicles from the 2012 model year onward. Immediate patching is recommended to enforce token validation and tighten session management. The automaker has released an updated portal version to address these issues.

At DEF CON 33, researchers Yair and Shahak Morag from SafeBreach Labs revealed the "Win-DoS Epidemic," a series of new DoS vulnerabilities in Windows. Key findings include four high-severity vulnerabilities (CVE-2025-26673, CVE-2025-32724, CVE-2025-49716) and one medium-severity flaw (CVE-2025-49722) affecting core services like LDAP and LSASS. The research enables attackers to crash Windows systems and create a DDoS botnet using public Domain Controllers, necessitating urgent security reassessment by organizations.

At DEF CON 33, researchers introduced "Win-DDoS," a new DDoS technique exploiting Windows domain controllers (DCs) through zero-click vulnerabilities. This method allows attackers to remotely crash DCs or Windows endpoints using the remote procedure call (RPC) framework. The researchers identified three new DoS vulnerabilities enabling crashes without authentication and one that allows any authenticated user to crash any DC or Windows computer within a domain.

SafeBreach researchers revealed vulnerabilities in Windows Active Directory domain controllers (DCs) that can be exploited for DDoS attacks, notably CVE-2025-32724. This vulnerability allows attackers to use public DCs as agents in distributed denial-of-service attacks by tricking them into connecting to a malicious LDAP server. Microsoft has issued patches for these vulnerabilities. Organizations are advised to implement these updates and enhance defenses against potential DDoS threats.

Lenovo webcams, specifically the 510 FHD and Performance FHD models, have vulnerabilities allowing them to be weaponized as BadUSB devices, enabling attackers to inject keystrokes and execute malicious commands remotely. Discovered by Eclypsium researchers, these flaws stem from insecure firmware updates on Linux-based devices. Lenovo has responded by implementing firmware signature validation. Users are advised to update their devices to mitigate risks. The findings highlight the need for improved firmware security and device trust models.

A critical vulnerability in Lenovo 510 FHD and Performance FHD webcams allows hackers to remotely weaponize these devices into BadUSB tools, injecting keystrokes and compromising systems. The flaw arises from a lack of firmware signature validation, enabling attackers to manipulate the camera's firmware. Lenovo has released firmware updates (version 4.8.0) to address this issue, tracked as CVE-2025-4371. Security experts warn that other Linux USB devices may also be vulnerable, necessitating enhanced security measures.

Researchers at Eclypsium have identified a vulnerability (CVE-2025-4371), dubbed "BadCam," affecting certain Lenovo webcams powered by Linux, allowing them to be reprogrammed into BadUSB devices. This enables remote attackers to inject keystrokes and deliver malware while bypassing traditional security measures. Lenovo has released firmware update version 4.8.0 to address this issue. Users are advised to avoid using untrusted webcams to mitigate risks.

Cybersecurity researchers have identified a jailbreak technique for OpenAI's GPT-5, enabling the generation of harmful instructions through a method called Echo Chamber. This technique manipulates the model's responses by framing prompts in narrative contexts, minimizing refusal cues. Additionally, new zero-click attacks, termed AgentFlayer, exploit AI integrations with cloud services to exfiltrate sensitive data via indirect prompt injections. These findings underscore the vulnerabilities of AI systems and the need for robust security measures.

A critical vulnerability named AgentFlayer has been identified in ChatGPT Connectors, allowing attackers to exploit indirect prompt injection to steal sensitive data from connected applications like Google Drive without user interaction. Discovered by Zenity and presented at Black Hat, the attack involves embedding hidden instructions in documents. Despite existing security measures, researchers bypassed them, highlighting a broader risk in AI integrations. Enhanced security protocols are essential to mitigate these vulnerabilities.

Researchers have successfully jailbroken OpenAI's GPT-5 using echo chamber and storytelling attacks, exposing critical vulnerabilities. The echo chamber attack manipulates the model's reasoning capabilities through recursive validation loops, while storytelling attacks disguise harmful requests within fictional narratives. These methods achieve up to 95% success rates against unprotected instances, highlighting significant gaps in AI security frameworks. Experts recommend robust runtime protections and continuous adversarial testing for safe enterprise deployment.

Research from Zenity Labs reveals vulnerabilities in AI agents from Microsoft, Google, and OpenAI, allowing hijacking with minimal user interaction. Attacks can exfiltrate data, manipulate workflows, and impersonate users. Specific vulnerabilities include ChatGPT's email prompt injection accessing Google Drive, Microsoft Copilot leaking CRM data, and Salesforce's Einstein rerouting communications. Companies have issued patches, with Microsoft emphasizing ongoing improvements and Google highlighting layered defenses. Concerns persist over inadequate safeguards in AI frameworks.

OpenAI's GPT-5 has been criticized for low security and safety performance, scoring 55.4% and 51.6% in tests, significantly lower than its predecessor GPT-4o. Researchers from Splx found it poorly aligned for enterprise use, failing to reject inappropriate tasks and disclosing sensitive information. NeuralTrust demonstrated GPT-5's vulnerability by jailbreaking it within 24 hours using narrative-driven manipulation. Recommendations for enterprises include prompt hardening, red teaming, and assessing entire conversations for malicious intent.

Research by Zenity at Black Hat USA reveals vulnerabilities in AI agents, including ChatGPT, Copilot Studio, and Salesforce Einstein. These vulnerabilities allow cybercriminals to exploit prompt injection techniques, previously requiring human interaction, now targeting AI agents directly. This enables attackers to exfiltrate sensitive data, impersonate users, and manipulate workflows. A proof-of-concept demonstrated how hidden prompts in documents uploaded to ChatGPT could lead to unauthorized access to API keys in connected services like Google Drive.

Security researchers from Zenity highlighted vulnerabilities in enterprise AI assistants like ChatGPT and Microsoft Copilot at Black Hat USA 2025. They presented AgentFlayer attacks, which exploit rogue prompts, leading to both user-interaction and 0-click attack scenarios. These findings underscore the evolving threat landscape as AI technologies become more integrated into enterprise environments, necessitating updated cybersecurity strategies for CISOs.

Researchers successfully jailbroke GPT-5 shortly after its launch using a method called “Echo Chamber” combined with “Storytelling.” This technique involves embedding harmful prompts within benign narratives to manipulate the model into generating harmful content. The process includes seeding low-salience contexts and steering the dialogue to maintain narrative continuity. This approach evades standard security filters, as it disguises malicious intent within seemingly harmless prompts, raising concerns about model safety and security.

A new technique can bypass GPT-5's safety systems, allowing harmful outputs through storytelling-driven prompts. Researchers at NeuralTrust combined the Echo Chamber attack with narrative steering, leading to harmful procedural details emerging within a fictional context. The method involves introducing benign text, sustaining a coherent story, and gradually escalating requests. The study highlights risks associated with urgency themes and recommends conversation-level monitoring and robust AI gateways to mitigate such threats.

On Aug. 7, OpenAI released GPT-5, which has been criticized for poor security and safety performance. Security researchers from SPLX found it scored only 2.4% on security metrics and identified vulnerabilities similar to those in older models. Despite claims from Microsoft of rigorous testing, SPLX's findings revealed significant weaknesses. Other researchers, including NeuralTrust, reported jailbreaking techniques that exploit context poisoning, raising concerns about the model's safety in enterprise applications.

Phishing attacks are exploiting the WinRAR flaw CVE-2025-8088, a directory traversal vulnerability fixed in version 7.13, to install RomCom malware. This zero-day vulnerability allows attackers to execute arbitrary code via malicious archive files. ESET researchers reported that spear-phishing emails with RAR file attachments are being used to deliver RomCom backdoors. The threat actor behind RomCom is linked to a Russian cyberespionage group and has a history of ransomware and data-theft extortion attacks.

A critical vulnerability in WinRAR, identified as CVE-2025-8088, is being exploited by a Russia-linked cyberespionage group to spread RomCom malware. This path traversal flaw allows attackers to execute arbitrary code by tricking users into opening malicious archive files via phishing emails. Security researchers from ESET discovered the issue, which has been patched in WinRAR version 7.13. Users must manually update to this version to mitigate the risk of infection and protect sensitive data.

A zero-day vulnerability in WinRAR, tracked as CVE-2025-8088 (CVSS score: 8.8), is actively exploited, allowing arbitrary code execution via malicious archive files. Discovered by ESET researchers, it affects versions up to 7.12 and is patched in version 7.13 released on July 31, 2025. Attacks have targeted Russian organizations using phishing emails with booby-trapped archives, leveraging this and another vulnerability (CVE-2025-6218) to execute code and potentially install additional malware.

A critical zero-day vulnerability (CVE-2025-8088) in WinRAR is being exploited in phishing attacks to deploy RomCom malware, with a CVSS score of 8.4. The flaw allows attackers to execute arbitrary code via malicious archive files, leveraging a path traversal weakness in Windows versions of WinRAR. Users are urged to update to WinRAR 7.13, released on July 30, 2025. Recommendations include scanning compressed files before extraction and limiting archive handling privileges to reduce risks.

ESET Research identified a zero-day vulnerability in WinRAR (CVE-2025-8088) exploited by the RomCom group, targeting financial and defense sectors in Europe and Canada. The vulnerability allows attackers to hide malicious files in archives, leading to backdoor installations. WinRAR released a patch on July 30, 2025. The campaign involved spearphishing emails with weaponized RAR files, delivering various malware, including SnipBot and RustyClaw. Users are urged to update WinRAR immediately to mitigate risks.

ESET researchers identified a zero-day vulnerability (CVE-2025-8088) in WinRAR, exploited by the RomCom group in targeted cyberespionage attacks from July 18 to 21, 2025. Malicious RAR archives were sent in spearphishing campaigns targeting financial, manufacturing, defense, and logistics sectors in Europe and Canada. Although no targets were compromised, the attackers deployed backdoors like SnipBot and RustyClaw. Users are urged to update to the latest WinRAR version to mitigate risks.

A vulnerability in WinRAR, tracked as CVE-2025-8088, has been exploited by the RomCom hacking group, allowing attackers to hide malicious files in archives. A patch was released on July 30, 2025. The flaw affects WinRAR's command-line utilities and enables code execution through crafted archives. Between July 18-21, RomCom targeted firms in Europe and Canada with spear-phishing emails. Security experts recommend immediate updates to mitigate risks associated with this vulnerability.

A high-severity zero-day vulnerability (CVE-2025-8088) in WinRAR, discovered by ESET, allows hackers from the RomCom group to deploy malware via directory traversal attacks. This flaw, with a severity score of 8.4/10, was exploited in spear phishing campaigns targeting government and critical infrastructure organizations. WinRAR has released a patch (version 7.13) to address the issue. Users are urged to update manually, as WinRAR does not auto-update.

Two cyber-espionage groups exploited vulnerabilities in WinRAR this summer. The Russia-aligned RomCom group exploited CVE-2025-8088, allowing code execution via malicious archive files, targeting financial and defense sectors in Europe and Canada. This flaw was patched on July 24. Another group, Paper Werewolf, also exploited CVE-2025-8088 and a known vulnerability (CVE-2025-6218) in attacks on Russian organizations. Both groups used phishing emails with malicious RAR files to compromise systems.

A previously unknown vulnerability in WinRAR, tracked as CVE-2025-8088, has been exploited by the Russia-aligned group RomCom in espionage attacks targeting financial, manufacturing, defense, and logistics sectors in Europe and Canada. This path traversal flaw allows arbitrary code execution via malicious archive files. Users are advised to update to WinRAR version 7.13 immediately to mitigate risks. This incident highlights RomCom's ongoing investment in zero-day exploits for their operations.

Russia-linked attackers exploited a high-severity WinRAR vulnerability (CVE-2025-8088) before a patch was issued on July 31, 2023. This path-traversal flaw, rated 8.4 CVSS, allowed targeted attacks against financial and defense sectors in Europe and Canada via spearphishing emails disguised as job applications. ESET reported that RomCom and another group, Paper Werewolf, utilized this zero-day, with RomCom employing various backdoors and anti-analysis techniques. Users are urged to update WinRAR immediately.

A high-severity zero-day vulnerability in WinRAR (CVE-2025-8088) has been actively exploited by two Russian cybercrime groups, RomCom and Paper Werewolf, since July 18. The exploit allows attackers to backdoor systems by planting malicious executables in restricted file paths. ESET reported the vulnerability, which abuses Windows alternate data streams, and notified WinRAR developers, leading to a fix released six days later. RomCom has previously used zero-day vulnerabilities, indicating a sophisticated attack strategy.

A zero-day vulnerability in WinRAR (CVE-2025-8088) has been exploited by two groups, RomCom and Paper Werewolf, targeting organizations in Europe and Canada between July 18-21. The attacks involved spearphishing emails with malicious archives that exploit the vulnerability for code execution. Users are advised to update to WinRAR 7.13 to mitigate risks. Additionally, a vulnerability in 7-Zip (CVE-2025-55188) allows arbitrary file writes and requires updates for versions prior to 25.01.

On July 30, 2025, WinRAR released version 7.13 Final to address CVE-2025-8088, a path traversal vulnerability exploited by two groups. The Russian-aligned RomCom targeted financial and defense sectors in Europe and Canada via phishing, while Paper Werewolf targeted Russian organizations. Users are advised to update to the latest version and follow safety guidelines, including keeping software updated and avoiding unsolicited attachments, to mitigate risks from potential exploitation.

CISA has added the WinRAR zero-day vulnerability (CVE-2025-8088) to its Known Exploited Vulnerabilities catalog, requiring federal agencies to apply mitigations by September 2, 2025. This critical path traversal vulnerability affects all WinRAR versions up to 7.12, allowing attackers to execute arbitrary code via malicious archive files. Exploited by the Russian RomCom group, users must update to version 7.13, released on July 30, 2025, to mitigate risks. Unaffected platforms include Linux/Unix and RAR for Android.

The DARPA AI Cyber Challenge concluded with $8.5 million awarded to three teams for developing AI systems that autonomously identify and patch vulnerabilities in open-source software. Team Atlanta won first place, discovering 77% of vulnerabilities and patching 61% within an average of 45 minutes. The models identified 18 real zero-day vulnerabilities, patching 11 in Java. Four models were released as open source, aiming to enhance security in critical infrastructure, particularly in healthcare, where patching can take an average of 491 days.

The U.S. Defense Department announced Team Atlanta as the winner of the AI Cyber Challenge (AIxCC) at DEF CON, receiving $4 million for developing AI systems that find and fix software vulnerabilities. The competition, run by DARPA, involved 54 million lines of code, with Team Atlanta excelling in vulnerability detection and patch generation. DARPA plans to release four cyber reasoning systems to aid in vulnerability management, particularly in critical infrastructure and healthcare sectors.

On August 9, 2025, at DEFCON 33, Team Atlanta won DARPA's AI Cybersecurity Challenge (AIxCC), receiving a $4 million prize. The competition aimed to develop AI tools for securing US critical infrastructure. Trail of Bits secured second place with $3 million, while Theori took third with $1.5 million. The three top teams' cyber reasoning systems will be open-sourced. The challenge was supported by tech giants like Google and Microsoft, with additional funding announced by the US Department of Health and Human Services.

At Black Hat, Mikko Hyppönen stated that AI currently favors defenders in cybersecurity, with no zero-day vulnerabilities found in 2024 and around two dozen in 2025, all fixed. However, Nicole Perlroth warned that attackers may gain an advantage soon. The US military's DARPA awarded $8.5 million for an AI Cyber Challenge, successfully identifying and patching vulnerabilities. Concerns about AI's impact on jobs were raised, with experts suggesting it should augment rather than replace human roles in security.

Columbia University experienced a significant data breach, with hackers accessing personal and financial data of approximately 870,000 individuals. The breach was discovered on June 24, 2025, after a technical outage, and unauthorized access occurred around May 16, 2025. Compromised data includes names, Social Security numbers, and academic records. Columbia is offering two years of credit monitoring and has set up a call center for inquiries. No patient records from the medical center were affected.

A cyberattack on Columbia University in June exposed the personal information of over 860,000 individuals, including Social Security numbers and application data. The breach was discovered on June 24 after a tech outage, with unauthorized access dating back to May 16. The university is offering two years of free credit monitoring to those affected. A hacktivist claimed responsibility, stating the attacks were politically motivated in response to a Supreme Court ruling on affirmative action.

A data breach at Columbia University has exposed the personal, financial, and health information of nearly 870,000 individuals, including students, alumni, and employees. Discovered after a system outage on June 24, the breach involved unauthorized access to the university's network. Affected data includes names, Social Security numbers, and financial aid information. Columbia is offering two years of free credit monitoring and identity theft services. Users are advised to remain vigilant against phishing and monitor accounts for suspicious activity.

In May 2025, Columbia University experienced a cyberattack affecting approximately 870,000 individuals, including students and employees. The breach resulted in the theft of 460 GB of sensitive data, including names, Social Security numbers, and academic information. The university confirmed no patient records from its medical center were compromised. Affected individuals are being offered two years of free credit monitoring and identity theft protection. Victims are advised to be cautious of unsolicited communications.

U.S. federal court officials are enhancing digital security for sensitive documents in response to escalated cyberattacks on their case management system. A recent hack of the Public Access to Court Electronic Records (PACER) system raised concerns about exposing confidential informants' identities. The judiciary reported blocking 200 million harmful cyber events in the 2024 fiscal year and acknowledged the need to replace PACER due to its vulnerabilities and ongoing sophisticated threats.

The U.S. Federal Judiciary confirmed a cyberattack on its electronic case management systems, which host confidential court documents. While most documents are public, sealed filings with sensitive information are now under stricter access controls. The Judiciary is enhancing security measures to prevent future attacks and mitigate impacts on litigants. Reports indicate the breach affected multiple federal districts and may have compromised confidential informant identities. The incident's severity was recognized on July 4, 2025.

A cyberattack breached the US federal judiciary's electronic case filing system (CM/ECF), discovered around July 4, potentially exposing confidential informants' identities and compromising sealed court records across multiple states. The breach may have affected criminal dockets, arrest warrants, and sealed indictments, raising concerns for the safety of cooperating witnesses. The responsible actor remains unidentified, and the Administrative Office of the US Courts and FBI declined to comment.

The US Judiciary has confirmed a cyberattack targeting its case management system, prompting efforts to enhance cybersecurity. The attack involved sophisticated and persistent threats aimed at sensitive files, some of which contain confidential information. The Administrative Office of the United States Courts is collaborating with the DOJ, DHS, and other agencies to implement stricter access controls. Previous incidents include a damaging 2020 attack and a ransomware incident in 2024 affecting the Superior Court of Los Angeles County.

Russian government hackers are reportedly behind a breach of the U.S. court filing system, PACER. The attack targeted midlevel criminal cases, potentially exposing confidential informants' identities. The Administrative Office of the U.S. Courts confirmed the cyberattack on August 7, stating that sealed records were compromised. The agency is enhancing security measures to prevent future attacks and mitigate the impact on litigants. This incident follows previous Russian cyberattacks on U.S. federal systems.

The US Federal Court Filing System experienced a cyberattack, with initial reports suggesting Russian involvement. The attack, confirmed on August 7, targeted sealed court files and has been ongoing since early July. An internal memo warned of compromised sealed records, urging immediate action. The system, built in 1996, has known vulnerabilities and was previously breached in 2020. The motive remains unclear, but it may involve intelligence gathering by Russian entities.

Russian hackers have compromised the US court filing system, CM/ECF, targeting sensitive documents, including sealed files with overseas ties. The attack, linked to a multi-year effort, affected at least eight district courts, prompting judges to restrict uploads of sealed documents. Experts warn that court files are prime targets for cybercriminals. The Judiciary is modernizing its systems, with CM/ECF and PACER replacements planned, as legacy systems remain vulnerable to sophisticated attacks.

A breach of the U.S. federal judiciary's electronic case filing system was discovered around July 4, compromising sealed court records and potentially exposing confidential informants' identities. The attack exploited unaddressed software vulnerabilities from a previous breach in 2020. The U.S. Courts are enhancing security measures, while investigations suggest involvement from multiple cyberespionage actors, possibly including Russian entities. Recommendations include using air-gapped systems for sensitive documents and improving logging for better detection.

Russian attackers infiltrated the US federal court system, confirmed on August 5, accessing sensitive documents and witness identities through vulnerabilities dating back to 2020. The CM/ECF platform, used for filing legal materials, was compromised in a years-long effort. Concurrently, Norway reported a cyber incident where attackers controlled a dam's valves, releasing water to demonstrate potential chaos. Norwegian authorities attribute this to pro-Russian actors, indicating a shift in cyber activity aimed at instilling fear.

U.S. law enforcement confirmed the takedown of the BlackSuit ransomware gang, which extorted over $370 million from more than 450 U.S. entities. The operation involved international collaboration, seizing servers and digital assets. BlackSuit, previously known as Royal, was responsible for significant attacks, including a 2023 incident that disrupted Dallas's emergency services. Following the takedown, some members reportedly formed a new group called Chaos, with ongoing investigations into their activities.

The Royal and BlackSuit ransomware gangs compromised over 450 U.S. companies, collecting over $370 million in ransom since 2022. The U.S. Department of Homeland Security dismantled their infrastructure in a joint operation, confirming their use of double-extortion tactics. The groups, initially linked to Quantum ransomware, rebranded multiple times, with BlackSuit emerging in June 2023. Cisco Talos indicates they may now rebrand as Chaos ransomware, maintaining similar attack methods.

U.S. authorities have dismantled the BlackSuit ransomware operation, linked to attacks on over 450 organizations globally. The operation, led by ICE's HSI, involved seizing servers and digital assets. Active since 2022, BlackSuit has extorted over $370 million from U.S. victims, targeting critical sectors. The takedown, part of Operation Checkmate, involved international collaboration. Officials emphasized the need for enhanced cybersecurity measures and ongoing vigilance against evolving threats.

US law enforcement has dismantled the BlackSuit ransomware group, a successor to Royal, which compromised 450 organizations in the US since 2022, stealing $370 million in ransom. The operation involved seizing servers, domains, and digital assets used for ransomware deployment and extortion. Despite this disruption, no arrests were made, and experts warn that the threat actors may quickly reestablish their operations. BlackSuit was first identified in May 2023, showing links to the Conti operation.

The Justice Department announced coordinated actions against the BlackSuit (Royal) Ransomware group, including the takedown of four servers and nine domains on July 24, 2025. This operation involved multiple U.S. agencies and international law enforcement, resulting in the seizure of $1,091,453 in virtual currency. BlackSuit has targeted critical infrastructure sectors, and the operation aims to disrupt their ecosystem and hold cybercriminals accountable.

The U.S. Department of Justice seized $1 million in bitcoin and servers from the Russian ransomware gang behind BlackSuit and Royal malware on July 24. This coalition included law enforcement from multiple countries. BlackSuit has demanded over $500 million in ransoms, targeting critical U.S. infrastructure, with over 450 victims across various sectors. The gang has earned over $370 million since 2022. The seized bitcoin was linked to a frozen digital currency exchange account.

The U.S. Justice Department, alongside seven international partners, has dismantled the BlackSuit ransomware group's infrastructure, seizing four servers and over $1 million in laundered cryptocurrency. BlackSuit, also known as Royal, has targeted at least 450 organizations since 2022, collecting over $370 million in ransom. The group is linked to attacks on the city of Dallas and vulnerable Citrix products, as well as healthcare and manufacturing sectors. The operation reflects a proactive approach to combat ransomware threats.

On July 24, US law enforcement, including the DHS, FBI, and Secret Service, seized four servers and nine domains linked to the BlackSuit ransomware gang, recovering $1,091,453 in virtual currency. The operation, part of “Operation Checkmate,” targeted the group for its attacks on US critical infrastructure, with over 450 victims and $370 million in ransom. Despite the disruption, no arrests were made. Researchers suggest the gang has rebranded as Chaos ransomware, continuing similar attacks.

The US government has seized over $1 million in cryptocurrency from the BlackSuit ransomware group, which has reportedly stolen over $370 million from more than 450 US firms since 2022. The operation involved multiple agencies, including the Secret Service and the Department of Homeland Security, resulting in the confiscation of servers, domains, and digital assets. Despite this seizure, no arrests have been made, raising concerns about the group's potential resurgence.

In a July 24, 2025 operation, law enforcement dismantled BlackSuit ransomware infrastructure, seizing four servers, nine domains, and $1.09 million in laundered cryptocurrency. BlackSuit, a significant threat to U.S. critical infrastructure, employs sophisticated attack methods and cryptocurrency for ransom payments. Investigations revealed advanced laundering techniques, including fragmenting payments across exchanges. The operation involved multiple agencies from eight countries, marking a shift in targeting both malware and the financial networks supporting cybercrime.

US authorities seized approximately $1.1 million in cryptocurrency linked to the BlackSuit ransomware group, which had extorted victims, including a ransom payment of 43 bitcoin in April 2023. The Department of Justice coordinated the takedown of four servers and nine domains used by the group on July 24, 2025, as part of Operation Checkmate, involving multiple international law enforcement agencies. BlackSuit, rebranded from Royal in July 2023, has targeted critical sectors and demanded over $500 million from victims since its inception in September 2022.

Bouygues Telecom confirmed a cyberattack affecting 6.4 million customer accounts, detected on August 4. The breach exposed personal information, including contact details, contractual data, civil status, and IBANs. Bouygues, with 26.9 million mobile customers, reported the incident to France’s CNIL. Notably, the webpage detailing the breach contained a hidden “noindex” tag, complicating public access. This incident follows a recent attack on Orange, France's largest telecom provider.

Bouygues Telecom confirmed a data breach affecting 6.4 million customers, occurring on August 4, 2025. The breach exposed personal data, including contact details, contract information, civil status data, company details, and International Bank Account Numbers (IBANs). No credit card numbers or account passwords were compromised. The attack was linked to a known cybercriminal group, and Bouygues has implemented additional security measures. Customers are advised to be vigilant against fraud and phishing risks.

Bouygues Telecom confirmed a cyberattack detected on August 4, resulting in the theft of sensitive customer data, including names, contract details, civil status data, and IBAN numbers. The company has 26.8 million subscribers and has begun notifying affected individuals. While bank card numbers and passwords were not compromised, the stolen data poses a phishing risk. Bouygues advises users to remain vigilant and not share login credentials, urging caution with unsolicited communications.

A cyberattack on Bouygues Telecom exposed personal information of 6.4 million customers, including contact details and International Bank Account Numbers (IBANs), but not passwords or credit card numbers. The breach was discovered on August 4th, and the company is notifying affected customers. Bouygues advises vigilance against scams and urges those with exposed IBANs to monitor their bank accounts. The incident has been reported to authorities, with potential legal consequences for the perpetrators.

SonicWall reported that a wave of attacks on SonicWall 7 customers since July exploited the previously disclosed vulnerability CVE-2024-40766, not a zero-day flaw. The attacks, involving Akira ransomware, affected customers using legacy credentials during migration from Gen 6 to Gen 7 firewalls. Fewer than 40 compromises were confirmed, prompting SonicWall to advise users to change credentials and upgrade to SonicOS 7.3.0. Huntress noted that 28 of its customers were compromised, urging credential rotation for security.

SonicWall reports that recent Akira ransomware attacks exploiting Gen 7 firewalls with SSLVPN are linked to CVE-2024-40766, a critical access control flaw fixed in August 2024, rather than a zero-day vulnerability. SonicWall advises customers to disable SSL VPN services and limit access to trusted IPs. The recommended actions include updating firmware to version 7.3.0 or later and resetting local user passwords. Some users express skepticism about SonicWall's claims based on their experiences.

SonicWall confirmed that recent ransomware attacks are linked to the previously identified CVE-2024-40766, not a new zero-day vulnerability. Fewer than 40 cases were reported, primarily due to the exploitation of legacy credentials during the migration from Generation 6 to Generation 7 firewalls. SonicWall advises users to change credentials and upgrade to SonicOS 7.3.0 for enhanced security features, including Multi-Factor Authentication and complex password policies.

A critical vulnerability in Microsoft Exchange Server, tracked as CVE-2025-53786, allows attackers with on-premises admin access to escalate privileges in cloud environments. Disclosed on August 6, 2025, by Microsoft after a demonstration at Black Hat 2025, it exploits special access tokens that cannot be revoked once stolen. CISA rates it high-severity, warning it could compromise identity integrity. Affected builds include Exchange Server 2019 CU15, CU14, 2016 CU23, and Subscription Edition. Remediation includes installing updates and following configuration guidance.

Microsoft has issued a warning regarding a high-severity privilege escalation vulnerability (CVE-2025-53786) affecting Exchange Server hybrid deployments. This flaw allows attackers with access to on-premises Exchange servers to escalate privileges in Exchange Online without detection. It impacts Exchange Server 2016, 2019, and Subscription Edition. CISA advises disconnecting public-facing servers running outdated versions to prevent total domain compromise. Microsoft has noted that exploit code could be developed, increasing the risk of attacks.

Microsoft disclosed a high-severity flaw in on-premise Exchange Server, tracked as CVE-2025-53786, with a CVSS score of 8.0. The vulnerability allows attackers with admin access to escalate privileges in connected cloud environments without detection. CISA warns it could impact Exchange Online's identity integrity. Recommendations include reviewing security changes, installing the April 2025 Hot Fix, and resetting service principal credentials if hybrid configurations are no longer used.

CISA issued an urgent alert on CVE-2025-53786, a high-severity vulnerability affecting on-premise Microsoft Exchange servers, allowing privilege escalation for hackers with administrative access. Organizations are advised to disconnect public-facing Exchange or SharePoint servers that have reached end-of-life. Microsoft has not seen exploitation yet but warns of potential identity integrity impacts. A hotfix is available, and organizations should follow Microsoft's guidance to mitigate risks.

Microsoft has identified a high-severity vulnerability (CVE-2025-53786) affecting hybrid Exchange deployments, specifically Exchange Server 2016, 2019, and Subscription Edition, with a severity score of 8.0/10. The flaw allows attackers with admin access to escalate privileges into Exchange Online. Microsoft recommends applying the April 2025 hotfix, transitioning to the dedicated Exchange Hybrid app, and resetting shared service principal credentials. CISA advises reviewing Service Principal Clean-Up Mode and using the Microsoft Exchange Health Checker to mitigate risks.

CISA and Microsoft issued an alert regarding a high-severity vulnerability, CVE-2025-53786, affecting on-premises Microsoft Exchange servers. Exploitation requires administrative access in hybrid environments, potentially allowing attackers to escalate privileges to cloud counterparts. Microsoft urged organizations to apply April 2025 hotfix updates and implement configuration changes. Starting later this month, Microsoft will block Exchange Web Services traffic using shared service principals. CISA advised disconnecting internet-exposed, end-of-life Exchange and SharePoint servers.

Microsoft and CISA have issued warnings about a high-severity vulnerability in Exchange Server, tracked as CVE-2025-53786, which could allow attackers to escalate privileges from on-premises to cloud environments. Although not currently under attack, exploitation is deemed likely. CISA mandated government agencies to address the issue by August 11. To mitigate risks, organizations should apply the April Hotfix and follow configuration guidance, resetting keyCredentials afterward.

CISA has mandated that all Federal Civilian Executive Branch agencies mitigate a critical Microsoft Exchange vulnerability (CVE-2025-53786) by 9:00 AM ET on Monday. This flaw allows attackers with admin access to on-premises Exchange servers to compromise Microsoft cloud environments. Agencies must inventory their Exchange setups, apply necessary updates, and switch to a dedicated service principal. Failure to comply could lead to complete hybrid environment compromise. CISA urges all organizations to take similar actions.

CISA has issued an emergency directive for federal agencies to patch a vulnerability in Microsoft Exchange servers by August 11. The flaw, affecting hybrid setups of Exchange 2016, 2019, and Subscription Edition, allows attackers to hijack authentication tokens, potentially granting access to cloud environments. Microsoft recommends applying an April hotfix and following specific setup instructions to mitigate risks. The issue is tracked as CVE-2025-53786, with no active exploitation reported yet.

Over 28,000 unpatched Microsoft Exchange servers are vulnerable to CVE-2025-53786, a critical flaw allowing privilege escalation in hybrid deployments. CISA issued Emergency Directive 25-02 on August 7, 2025, mandating federal agencies to address this by August 11. The flaw, with a CVSS score of 8.0, affects servers in the U.S., Germany, and Russia. Microsoft recommends installing the April 2025 hotfix and implementing configuration changes. CISA urges all organizations to follow the directive to mitigate risks.